From: Remi Tricot-Le Breton Date: Fri, 18 Apr 2025 15:26:55 +0000 (+0200) Subject: MINOR: ssl: Add ocsp stapling callback traces X-Git-Tag: v3.2-dev13~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dbdd0630e18bb8dd6fc5f80fe14848e36c5f88c6;p=thirdparty%2Fhaproxy.git MINOR: ssl: Add ocsp stapling callback traces If OCSP stapling fails because of a missing or invalid OCSP response we used to silently disable stapling for the given session. We can now know a bit more what happened regarding OCSP stapling. --- diff --git a/include/haproxy/ssl_trace-t.h b/include/haproxy/ssl_trace-t.h index 0678fb68d..a033728b0 100644 --- a/include/haproxy/ssl_trace-t.h +++ b/include/haproxy/ssl_trace-t.h @@ -29,6 +29,7 @@ extern struct trace_source trace_ssl; #define SSL_EV_CONN_IO_CB (1ULL << 8) #define SSL_EV_CONN_HNDSHK (1ULL << 9) #define SSL_EV_CONN_VFY_CB (1ULL << 10) +#define SSL_EV_CONN_STAPLING (1ULL << 11) #define TRACE_SOURCE &trace_ssl diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 597509058..a6355e6f0 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -62,6 +62,8 @@ #include #include #include +#include +#include #ifdef HAVE_SSL_OCSP @@ -112,6 +114,8 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) int key_type; int index; + TRACE_ENTER(SSL_EV_CONN_STAPLING, conn); + ctx = SSL_get_SSL_CTX(ssl); if (!ctx) goto error; @@ -133,12 +137,16 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) } ocsp_arg = SSL_CTX_get_ex_data(ctx, ocsp_ex_index); - if (!ocsp_arg) + if (!ocsp_arg) { + TRACE_ERROR("Could not get ex_data", SSL_EV_CONN_STAPLING, conn); goto error; + } ssl_pkey = SSL_get_privatekey(ssl); - if (!ssl_pkey) + if (!ssl_pkey) { + TRACE_ERROR("Could not get private key from SSL context", SSL_EV_CONN_STAPLING, conn); goto error; + } key_type = EVP_PKEY_base_id(ssl_pkey); @@ -150,8 +158,10 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) */ index = ssl_sock_get_ocsp_arg_kt_index(key_type); - if (index < 0) + if (index < 0) { + TRACE_ERROR("Wrong key_type", SSL_EV_CONN_STAPLING, conn); goto error; + } ocsp = ocsp_arg->m_ocsp[index]; @@ -159,13 +169,20 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) if (!ocsp || !ocsp->response.area || - !ocsp->response.data || - (ocsp->expire < date.tv_sec)) + !ocsp->response.data) { + TRACE_ERROR("Missing OCSP response", SSL_EV_CONN_STAPLING, conn, ssl); goto error; + } + if (ocsp->expire < date.tv_sec) { + TRACE_ERROR("Expired OCSP response", SSL_EV_CONN_STAPLING, conn, ssl); + goto error; + } ssl_buf = OPENSSL_malloc(ocsp->response.data); - if (!ssl_buf) + if (!ssl_buf) { + TRACE_ERROR("Allocation failure", SSL_EV_CONN_STAPLING, conn); goto error; + } memcpy(ssl_buf, ocsp->response.area, ocsp->response.data); @@ -176,6 +193,8 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) HA_ATOMIC_INC(&counters_px->ocsp_staple); } + TRACE_LEAVE(SSL_EV_CONN_STAPLING, conn); + return SSL_TLSEXT_ERR_OK; @@ -186,6 +205,8 @@ error: HA_ATOMIC_INC(&counters_px->failed_ocsp_staple); } + TRACE_ERROR("Stapling callback error", SSL_EV_CONN_STAPLING, conn); + return SSL_TLSEXT_ERR_NOACK; } diff --git a/src/ssl_trace.c b/src/ssl_trace.c index eaec5cf4c..1408ee1af 100644 --- a/src/ssl_trace.c +++ b/src/ssl_trace.c @@ -37,6 +37,7 @@ static const struct trace_event ssl_trace_events[] = { { .mask = SSL_EV_CONN_IO_CB, .name = "sslc_io_cb", .desc = "SSL io callback"}, { .mask = SSL_EV_CONN_HNDSHK, .name = "sslc_hndshk", .desc = "SSL handshake"}, { .mask = SSL_EV_CONN_VFY_CB, .name = "sslc_vfy_cb", .desc = "SSL verify callback"}, + { .mask = SSL_EV_CONN_STAPLING, .name = "sslc_stapling", .desc = "SSL OCSP stapling callback"}, { } };